India’s Internet Control Rules Finalized; Blasphemy?

If there’s a segment that indicates how poorly thought out India’s finalized Internet control rules are, it is sub-rule 2 and 4 of the segment pertaining to Intermediaries in the country’s finalized Information Technology rules: the first of which defines what actions by a user can result in the removal of content (via intermediaries like ISPs, hosting service providers and social networks), and the latter, which defines who can get the content removed, and how. You can find a copy of the final rules here (pdf, specifically between page 11 and 14), and an annotated version of the Intermediary guidelines here, and there are significant changes.

In our opinion, these rules give the Indian government the ability to gag free speech, and block any website it deems fit, without publicly disclosing why sites have been blocked, who took the decision to block it, and just as importantly, providing adequate recourse to blogs, sites and online and mobile businesses, for getting the block removed. These rules are applicable to intermediaries, through which access to content will be controlled

It is a set of rules that we think is manipulative in its approach, but clearly in line with a pattern we have observed with government regulations relating to digital activity, what we like to call the troika of paranoia – increasing monitoring, identification and the power to restrict/block;7,500 to 9,000 orders for interception of telephones per month is not a joke. If you think it’s unlikely that any well known large sites might be blocked in India – think again. As indicated by screenshots and comments sent in by MediaNama readers, access to blog hosting site Typepad and mobile applications marketplace Mobango are/were blocked by ISPs in the country for no disclosed reason. And other sites are blocked as well.

Our take:– The phrases ‘grossly harmful’, ‘obscene’, ‘racially or ethnically objectionable’ are vague and open to interpretation, and thus subject to misuse when any government organization wants to misuse it. Who interprets how these phrases are defined?– Who defines ‘blasphemous’? For example, is a McDonald’s advertisement for a beef burger blasphemous for Hindu’s in India? What about a recipe for pork stew for Muslims? India doesn’t even have a blasphemy law, so who interprets what is blasphemous or not?– invasive of another’s privacy: who interprets what is invasive of anothers privacy? Can someone, post a bad break up, file a complaint and get an ex-boyfriend or girlfriend punished for publishing photos on facebook or twitter? Who at an ISP or the government defines when there is consent, or is a lack of denial the same as consent?– encouraging money laundering or gambling: gambling is illegal in India, but the Internet is awash with ads for online betting sites. What happens when ad networks automatically serve advertisements which encourage gambling? will they be held accountable in India? Remember that these rules are applicable for anything served within India, and not necessarily applicable to Indian ventures only.

2. Additionally, Sub Rule 2 also states that users may not publish anything that threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation.

Our take:– the unity, integrity, defence, security or sovereignty of India; public order: didn’t the Jan Lokpal protests threaten public order, and wasn’t a lot of the commentary online anti-government? Who decides whether’anti-government’ statements are ‘anti-national, or for that matter, statements criticizing a particular politician or political family?
– in the same vein, don’t disclosures made by Wikileaks do exactly what has been mentioned above, and threaten friendly relations with foreign states? Why should criticism or disclosures of sensitive information be the mandate of offline media? Information that doesn’t make to it to TV, or gets limited play in print, can be leaked online.
– On a positive note, the phrase ’causes annoyance or inconvenience or decieves or misleads’ has been removed.

3. How the control is being exercised: Sub rule 4 states that

“(4) The intermediary, on whose computer system the information is stored or hosted or published, upon obtaining knowledge by itself or been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act within thirty six hours and where applicable, work with user or owner of such information to disable such information that is in contravention of sub-rule (2). Further the intermediary shall preserve such information and associated records for at least ninety days for investigation purposes.”

This change in the rules means that there’s even less oversight when it comes to dealing with complaints under the IT act. This means that if I am offended by anything anyone has said on the Internet, that I feel is blasphemous, promotes gambling, is grossly harmful, disrupts public order, is racially or ethnically objectionable, or can threaten friendly relations with foreign states, I only need to send a letter in writing to an ISP, and an ISP needs to act on within 36 hours? Who is the ISP to decide whether the complaint is a genuine one or not? In the previous version of the law, the complaint could be made by “an authority mandated under law”, so this change is even worse, and makes the complaints system easy to abuse and manipulate.

4. Interception: Sub rule 7 on Interception states that: “When required by lawful order, the intermediary shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and
punishment of offences under any law for the time being in force, on a request in writing stating clearly the purpose of seeking such information or any such assistance.”

The previous version of the order did not allow intermediaries to disclose personal information, but there the Indian government is clearly ensuring that it can access information.

Other key changes – The definition of blogs and bloggers has been removed. As we had mentioned earlier, there was no reason for specifically defining or mentioning bloggers since they are intermediary.Important: please note that this is a red herring – the removal of the definition of blogs and bloggers does not mean that they will no longer be governed by these rules. Bloggers are covered under the expanded definition of ‘user’, who is “someone who accesses or avails a computer resource of an intermediary for hosting, publishing, sharing, transacting, displaying or uploading, and includes persons jointly participating in using the computer resource”.

Note: This is our interpretation of the rules, and our understanding of laws and policy is limited. Correct us if you think you have a different interpretation, especially if it is conflicting information, or do share any additional points of note from the rules themselves, and we’ll update with credit.

You are wrong about #3. It says “The intermediary, on whose computer system the information is stored or hosted or published”. Where does it say ISP ? It means the provider of the service such as google or facebook etc. Google and facebook already do moderation on report abuse and they decide if it is harmful content or not.
What’s so new about it ?

Tarun Dua

Piyush these are onerous responsibilities being placed on startups doing platforms similar to facebook in India. With these kind of rules in place the ‘next twitter’ is certainly find India a very convenient birthplace, our government will continue dealing with the big companies. A plethora of rules creates entrenchment for existing players and limits creative destruction inherent in an efficient free market.

Piyush Ranjan

There is nothing wrong in this. The “next twitter” should make sure it has a good ‘report abuse’ mechanism in place. Twitter has report abuse and handle theft mechanism. We are unnecessarily reading more here than we should.

Tarun Dua

ISPs/webhosts by definition here are intermediaries.

Piyush Pr

Tarun
There is a huge difference between an ISP and a webhost. Some ISPs provide webhosting but that does not mean all ISPs are webhosts. ISPs carry traffic and they do not store that traffic.

Interesting observations. I disagree with your picking off “invasive of another’s privacy” as something that is objectionable in these provisions. You will find the European Commission is in fact working towards a right of privacy that includes “the right to be forgotten” or the right to be left alone. Other dynamics are also emerging which need being taken into account. Insurance firms, for instance, have told customers not to share their travel and holiday plans on Facebook because should a burglary etc happen, claims may fail on grounds of the customer not having exercised due care. There is a range of instances where a person’s privacy can be violated by others leading to unforeseeable damage and there is no such right for ordinary persons. You may argue whether or to what extent “celebrities” and others that actively court publicity could fight for such a right. But let’s face it – a vast majority of web users are not celebrities of any description.

Nikhil Pahwa

I’m picking off ‘invasive of another’s privacy’ because it’s arbitrary to put the responsibility of taking that decision on whether something is invading privacy on an intermediary instead of a court.

take the example of Outlook and Open publishing recorded phone conversations between Niira Radia and others. Using this process, any of them can file an complaint in writing with either Outlook or their server hosts and get that content removed. I’m in favor of upholding privacy – and dont agree with the interception rules. It’s just that the decision should not be left to every intermediary, which may not be the right entity to take that decision.

Nikhil: See Salil’s point above. I think that is a real and definitional criticism that you may want to include in your analysis.

Salil

European Human Rights Charter has a huge contradiction – between Art 8 and Art 10. One assures free speech, the other assures privacy. This is where Americans have got it right, with their first amendment, and absence of malice doctrine, which allows media to make mistakes. NYT v Sullivan is a good case in this regard. UK does have the Reynolds defence where public interest trumps private concerns. But in general, European reading of “privacy” is scandalous. NYT v Sullivan is clear in distinguishing between public and private individuals. That’s a good starting point. A blanket support of privacy only offers privacy to the rich, who can afford lawyers who can get the injunctions.

Salil: //..public and private individuals// – this is an important distinction which needs to be made. As you point out, the rich (often a huge overlap with “public individuals”) can often buy privacy which the not-so-rich cannot. This creates a market in rights, in my view, which is wrong. Privacy – for private individuals per above distinction – cannot be by negotiation or by interpretation of an agency, but by default. Also the issue does not exist in isolation. The proportionality and scope of potential harm – and whether the cost of that damage is socialised – need to be taken into account. My not sharing my own travel plans hurts nobody; but my sharing of your home address, phone number and travel plans can lead to difficulties for you and for others. You however have a right, if you see it fit, to share your travel plans because then the onus of any losses ensuing is on you. (Last I looked, people are only concerned about laws insomuch as liability exist or potential losses can be accrued hence the repetition in the argument).

Chrisjensen

I’ll be worried the day they start blocking Fakingnews.. Mobango and Typepag daya tel lene..

They’re building a ‘Great Firewall’ – but what if information is say posted abroad – say on Wikileaks, then what. Will the Indian Government run the PR disaster of blocking access to Wikileaks? This is why the judgement on the Gandhi-book might be interesting. Say, if I call Nikhil some names online – then what?

Anonymous

what we need is for CID to come in and say “Daya! darvaza todo”

PN

Are these being challenged in the Court? Or slated to be challenged in the Court? I am pretty sure these won’t stand the test of constitutional guarantees.

Noid

The new rules need to be interpreted with the help of guidelines in 2008 IT amendments, 2000 IT ACT and IPC. The key words and issues used in the new rules have been defined by the earlier laws.

Though still the new rules remain very loosely worded and problematic. But not as much as what you have interpreted here.